Security Weekly was nominated for the 2015 Best Security Podcast! Please vote for our show here: Security Blogger Awards

Announcements

Security Weekly Blackhat Training Part 1Sign up for "Offensive Countermeasures: Making Defense Sexy" as a two-day course at Blackhat July 30-31. Every student gets a FREE "Hack Naked" t-shirt and sticker!

Security Weekly Blackhat Training Part 2Sign up for "Advanced Vulnerability Scanning Techniques Using Nessus" July 30-31 or August 1-2

Larry is teaching SANS 617 SEC617: Wireless Ethical Hacking, Penetration Testing, and Defenses in the only country he is licensed to teach in - Canada! Catch him in Victoria May 9 to May 14th.

Register now for the 8th Annual Charlotte ISSA Security Summit featuring the 3 most adorable men in InfoSec: Security Weekly, Ed Skoudis, and Chris Hadnagy, all on May 5th.

Questions

Andrew Case is a security researcher at Digital Forensics Solutions where he is responsible for source code audits and pen testing. Andrew's primary research focus is physical memory analysis, and he's on the show today to give an update on his recent BlackHat presentation on De-Anonymizing Live CDs

Larry's Stories

iPhone tracking - [Larry] - Yeah, apple know where you are. Location data is bad, once we get it from your iphone unencrypted backup. All sorts of fun stuff to be had with this tool. More info from apple, says that is for uber fast location services, as GPS really is too slow, and is intended to enhance the user experience. Ok, cool, but why store data over suck a long period of time? Apple backpedaled on this one and said, ok, we'll only store a week. I;d argue that you should store MUCH less then a week. Oh, there's a reason you say? Oh, right the location information gets sent to apple once a week, anonymously and encrypted. ORLY. Also , a bug or two was discovered based around recording location even with no data plan. more info here

PSN Compromise - [Larry] - They keep upping the disclosures form 70 million to 77 million. Names, addresses, security questions and answers, user ids passwords, CC numbers, EXP and allegedly security numbers exposed. Took them almost a week to notify. Oh, and the PSN has been down now 6 days or s. That means no games online with your friends on streaming audio/video. No netflix. Allegedly the network is down for a redesign. Mitigation? No, redesign. How much testing do you think this hastened redesign is getting? The real kicker here is, after reading some pastebin stuff, it appears some reversing and observing or traffic revealed all of this information quite some time ago, in the clear over the network, to servers with known vulnerabilities.

Coreflood uninstall? - [Larry] - FBI gets permission to uopdate Coreflood, migrates it to "federal" servers, and now is granted permission to uninstall 2.3 million clients. How you like them apples.

Oracle massaging CVSS values? - [Larry] - AppSec is claiming that Oracle may be misleading users into believeing that Oracles calcluated CVSS score are actually higher than reported. Why? Oracle uses a slightly different metric based around how much damage an exploit could do. If it only harms the software it exploits, it gets a "Partial". If the exploit can be levereaged to gain system access, it gets "Complete", rating the CVSS score higher. Instead, AppSEC claims that Oracle rarely uses "Complete", as the underlying metric that they use to generate this score (called Partial+) scores the same as a Partial, and not Complete like it should…That means the overall CVSS score is lower, and may be evaluated incorrectly by system admins. Oracle states that yeah, maybe you want to recalculate that. NO, ORACLE< YOU RECALCULATE THAT and FREAKING USE THE STANDARD THAT WAS SET FORTH. Sheesh. That's why we have a freaking standard.

Certified Prepwned EC2 - [Larry] - I'm just starting to spin up some EC2 instances to play with, and found this interesting. Amazon has a bunch of prebuilt instances that you can pick from, or you can grab one form the 7300+ in the marketplace. What is interesting, in at least one case, a user named guru created a typical LAMP server, but left is ssh keys behind, allowing guru to log in as root if they had not been removed. guru claims it was an innocent mistake, Amazon notified users of that base image to migrate, but how many other images are in a similar state? how many folks using EC2 expect secure images, or even know enough to audit?

Paul's Stories

Supporting Unmaintainable Applications - I'm sure many of you have run into this situation before. Your company, or company you are helping, bought an application 5+ years ago, and it seems to work. However, it was delivered and no structure was put in place for updates. So now, you've got legacy technology behind it (Visual Studio 6.0 anyone?). I've seen this a lot. Rafal brings up good questions: Do you have the source code, the compiler, the developers, or the libaries to support this application? Usually the answer is no, and often the vendor has either gone out of business or written a new application that costs more money, forces you to transition your data (if its compatible, re-train your users, and purcahse new technology (servers, software, licenses). You options according to Rafal? Re-write the application in house, retire the application, try to apply modern protections (Weak), or do nothing and hope you don't get hacked. Unfortunately, I see people doing nothing.

Sony Playstation Network Hacked - Sony confirms that the PlayStation Network's security mechanisms were fully circumvented, and that at least one of its most sensitive databases was breached and accessed sometime between April 17 and 19. Everybody drink :) They got not just emails, but passwords and likely credit cards of all PSN users. Was it SQL injection? Was it through Rebug, the developer network that can be enabled by hacking firmware? We don't know for sure, but its clear that large companies need to do their part to secure their own networks and your data. Clearly we are not learning from others mistakes. I agree we need to hold companies accountable for these breaches, they get off way too easy.

Random Network Problems - Some think this could be "hackers", some blame the routers, and other blame solar flares. In this case it was a network camera in use by a developer. Doh! I've been in this situation, analyzing logs, looking for the "intrusion", working with networking as the vendor tells them to upgrade firmware because there was a bug report that mentioned something that they claimed was close to the problem (even though it wasn't). You can spend a lot of time debugging these problems, comes down to process for your end users. Knowing whats on your network is important, not letting users plug in switches and cataloging devices goes a long way to both network stability and security.

Logging Data in Enterprise Networks is easy - doing something with it harder - This is a common problem, storage is cheap and we have tools that collect data very well. Devices, such as SCADA and embedded systems, can generate data like there is no tomorrow. The problem is analyzing it. Most people blame the tools, but I argue this is a people problem. The network is a beast, constantly changing and moving around, and keeping up with analyzing logs is a tough task. It takes people with the right skills and the time to get this done. Its not a once a week or once a month thing, its a daily thing. Empoying an analyst or two goes a long way, take notes Sony.

China's Proxies suffer from default config flaw - I think its funny that instead of allowing only connections from 127.0.0.1, they allow connections from anywhere, allowing people to use them as an open proxy! This is the default config, and turns out these proxies are bing abused. Go figure. Configuration management is key to success!

Why you should lock down your Wifi - A Buffalo man's home was raided, fully armed agents dragged him out on charges of child pornopraghy. Why? His neighbor used his Wifi to download child pornography. A similar case was logged in Floriday. They took all his computers, iPad, and iPhone. Three days later everything was cleared up.

Creepy Facebook Feature: Facial Recognition - This is scary, Facebook will now use technology to suggest the names of people in photos that you upload. New privacy settings, that are not straight forward, allow you to disable the feature. Awesome! Now I can take pictures of cute girls at the grocery store or at the park, upload them and Facebook will tell me who they are! (I'm pretty sure thatøs not [how] it works but Iøm sure it will get there.)

Easy Wireless Setup? - I was curious what the latest was on the SES, Secure Easy Setup. This is where you get a wireless adapter and a wireless router, and they sync the key. Before every device had its own wireless card you could buy a linksys router and a linksys adapter and have them sync a key (SES). That was replaced by something else, don't remember, supposed to be vendor agnostic. Now everything has its own wireless, so they came up with Cisco Connect software, and Easy Setup Key. Some routers come with a USB drive with the setup software, some do not. So using the Cisco connect software you can create an Easy Setup Key using any USB thumb drive. Confused yet? I sure am, and I can't imaging how someone like grandma will figure this out. So, we're back to everyone having insecure access points...

Darren's Stories

YOUR OUT! - This is what you get for being a Yankees fan. Also sometimes you don't need a vuln just a dumb employee. We all know there is no patch for human stupidity.